Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
Lanlan Pan <abbypan@gmail.com> Mon, 14 August 2017 04:57 UTC
Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C0221252BA for <dnsop@ietfa.amsl.com>; Sun, 13 Aug 2017 21:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8j5l4VQf-Z5C for <dnsop@ietfa.amsl.com>; Sun, 13 Aug 2017 21:57:02 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB87124BE8 for <dnsop@ietf.org>; Sun, 13 Aug 2017 21:57:01 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id i66so34527806wmg.0 for <dnsop@ietf.org>; Sun, 13 Aug 2017 21:57:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qyML1dxA7cDov/JC1mlMaxTPN3QkLG9rDSPCX9yKPSU=; b=hKkQHTMGY3X1kbvyHHKfU4C07YzCOr+630+PNSsZT4uKi6RGGjds+3chuiJs3yVr+M OPqIIgA9tyVLPDuic9EhFkd0jmxqR07mC1VLq2P6kUgMG9up9qqhgoHH0QdRekd09/c5 97COS+iBDCaHtI3r6gR0ooBzj8+W7ae3xEElvoDaJ2F5L6h8MERjBXM6vH9bnR1xe5da z5GeDieEhLgtNpJf7fmptsxuRsDZxGgere3NnnlEjaE4QQ7YwVo+6Yn1GwqyZUgplQOM xQ0QBcjnxlAAW0UOM+Yy/0E4VTGa8Qm3wjrhMqC3gAKC4brPINkz879asF1fqeXI8cpo XtUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qyML1dxA7cDov/JC1mlMaxTPN3QkLG9rDSPCX9yKPSU=; b=KG5UQ39kz6eqrC0KsgpQ7TwhxWbqDESuwGOl3Ww85OdQUjhLZ8+Uh/S67yeuRm2Blu y09Mvue0Qc9+KqrDafCur6z3QHEE1Y+iuBrqI+OP1ezmi/wsnfiyvuAKkSPDvMUw4/hC F562V9abI/ad1LPQQH8gPfh5wQZNDaeauBGrNlOe+JYcvzLonWo7xmF7oth09JRWdP8K +dzs1nY9P+JlQOTwqvyr4mMyw2WM7WpFFK9XkYYdscZaY15nxJR7EhCpOPUcNXCcY/AV xJPmIh+72nGOaKQR/kD16O6xkokoSxku+Qxn3zQ+4SFbOXsekXe1fuSWp3LhJwEHvHDK uO9g==
X-Gm-Message-State: AHYfb5iHlPeyE9Cwjhm7FqYOePC+IHXbBT8tjR/E+bJL66Rd+MDJusY/ j+WzGMK+mQBTRz+a8emsvrXjWMmYQhal
X-Received: by 10.80.138.6 with SMTP id i6mr22722551edi.247.1502686620193; Sun, 13 Aug 2017 21:57:00 -0700 (PDT)
MIME-Version: 1.0
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <CANLjSvWOzaJcVL64BhNFKnTUEgfq06TQtoy=ZNJ_JafvPU1aSA@mail.gmail.com> <1659363.yAWSxLQAC2@tums.local>
In-Reply-To: <1659363.yAWSxLQAC2@tums.local>
From: Lanlan Pan <abbypan@gmail.com>
Date: Mon, 14 Aug 2017 04:56:49 +0000
Message-ID: <CANLjSvUkoYt1LXwVQ90MVej6mwOg4Q_2=PT=+Rwrf=8k5WAaRA@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Matthew Pounsett <matt@conundrum.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Petr Špaček <petr.spacek@nic.cz>, Vladimír Čunát <vladimir.cunat@nic.cz>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1957843499dc0556af7ed6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4p83nySK9lBk5n0ZcZQRfUGQqfE>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 04:57:04 -0000
Hi Paul, Maybe it makes a mountain out of a molehill. "Give to the emperor the things that are the emperor's, and to God the things that are God's.“, we can seperate security issue and subdomain wildcard cache issue. I think, SWILD has no influence on DNSSEC deployment : 1) If recursive wants to deploy DNSSEC, it is almost impossible because of NSEC/NSEC3 aggressiveuse Wildcards. *Security need is the greatest motivation behind DNSSEC depolyment.* 2) If recursive doesn't want to deploy DNSSEC, it is almost impossible because of SWILD. Imagine that, there is no SWILD to give precise subdomain wildcard information from authoritative, recursive can use random subdomain detect method to make cache optimization, which was described in DNS Noise: Measuring the Pervasiveness ofDisposable Domains in Modern DNS Traffic <http://astrolavos.gatech.edu/articles/dnsnoise-dsn2014.pdf>. But the rate of "DNSSEC + NSEC + default dns query with DNSSEC” has influnence on subdomain wildcard cache issue if we only accept unique solution depend on it. Paul Vixie <paul@redbarn.org>于2017年8月12日周六 下午11:42写道: > On Saturday, August 12, 2017 8:29:45 AM GMT Lanlan Pan wrote: > > ... > > > > SWILD is a feature just for recusive cache optimization, only dealing > with > > the wildcard subdomain issue (with no nodes below). > > DNSSEC + NSEC aggressive is security feature, with cryptographic contents > > such as KSK/ZSK/NSEC/NSEC3/NSEC5/... > > > > My assumption is: *we can give recursive server an alternative solution > for > > wildcard subdomain cache issue, not need to depend on DNSSEC.* > > Authoritative server just simply add one SWILD RR, not much deploy cost. > > Recursive server can add SWILD support if it has an interest in wildcard > > subdomain cache optimization, it is OPT-IN. > > > > *I don't expect implementers would adopt SWILD 100% before adopting > > DNSSEC+NSEC aggressive. Just give an alternative choice, implementers can > > decide adopting or not, before or after, we won't pre-select for them.* > > we do, though, and we must. DNSSEC development began in 1996, and > deployment > is stalled due to lack of motivation. it is the IETF's position that > DNSSEC is > a public good in that it will enable a general world-wide security level > that > has always eluded the Internet. > > any DNSSEC feature that we decide to offer separately ("a la carte") is > both a > missed opportunity to increase the deployment of DNSSEC, and a > self-inflicted > wound that deliberately further stalls that deployment. > > noting that DNSSEC as a protocol is of atrociously low quality ("it's > crap"), > i am in no way defending the design itself. however, it does work, and we > would be acting contrary to our own best interests ("folly") if we took up > anything like SWILD, or allowed anything like SWILD on the individual > track. > > failing that level of commitment, the IETF ought to kill DNSSEC altogether. > > this is very similar to the "shall we had IPv6's features to IPv4, since > V6 is > taking so long to deploy, and these features are badly needed?" debate. > > vixie > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
- [DNSOP] Fwd: New Version Notification for draft-p… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-pa… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Richard Gibson
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Dave Crocker
- Re: [DNSOP] New Version Notification for draft-pa… Peter van Dijk
- Re: [DNSOP] New Version Notification for draft-pa… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Matthew Pounsett
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… John R Levine
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] New Version Notification for draft-pa… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] fragile dnssec, was Fwd: New Version A. Schulze